With 30,000-plus employees located in 100 countries around the world, Sun Microsystems is a leading provider of industrial-strength hardware, software and services. Because of increased board attention to optimizing the value of IT, Sarbanes-Oxley legislation and other business initiatives, Sun’s information technology (IT) department sought the use of a common framework to view and measure IT’s alignment and contribution to its overall business strategy. After researching options, Sun’s CIO recommended implementation of the Control Objectives for Information and related Technology (COBIT) framework. COBIT’s contributions to Sun’s goals were identified, and it was adopted and successfully enhanced the already effective process improvement work being accomplished with limited resources.
Since its inception in 1982, a singular vision—The Network is the Computer—has propelled Sun Microsystems to its position as a leading provider of industrial-strength hardware, software and services that make the Internet work. Sun’s 30,000-plus employees are located in 100 countries around the world.
Sun’s information technology (IT) department global scope and scale includes supporting the Sun community with 600 applications, six data centers, 1,700 data center servers, 600 terabytes of data, four million internal web pages and five million e-mails per day.
Figure 1 shows the organizational structure of Sun IT in 2004. It starts with the strategy, architecture and technological direction. From there, the system development, integration and deployment are organized closely around the type of business systems being dealt with, such as demand creation systems or engineering and fulfillment systems. The IT service management group is focused on defining processes, standards and tools that bridge the development and the service delivery worlds. Application support and operations focus on service support and delivery. The governance organization focuses on budget and monitoring activities.
Sun Microsystems’ IT department was facing many issues in early 2004, including:
Some IT staff understood the value of using a common framework to view and measure Sun IT’s alignment and contribution to Sun’s overall business strategy. In fact, the CIO had said that the organization would use Control Objectives for Information and related Technology (COBIT) as the framework. Sun’s culture is built on innovation, and great value is perceived in contrarian thinking, so even though the CIO had approved the use of COBIT, actual implementation of the framework required an approach that built acceptance and adoption of the various elements of COBIT while taking into account the great process improvement work already being done in a significantly resource-constrained environment.
At the same time, the organization also expected to begin its SOX reporting at the end of its fiscal year. Sun’s finance department was driving the SOX compliance effort, and IT was actively involved. As with most organizations, significant resources were being spent on the SOX compliance effort, and that effort continued even after learning that the first official reporting requirement had been pushed further back.
The following questions needed to be answered:
Initially, IT executive support for using COBIT was limited. The CIO and the vice president for IT governance were championing the framework, but there was resistance from most of the other executives, and for good reasons.
First, the organization had not done a thorough job at helping them understand what COBIT is and, more specifically, how it could add value.
Second, only 18 to 24 months earlier, the company had significantly transformed the Sun IT organization, moving from a distributed approach with an IT group for each business unit to one unified Sun IT for one Sun. This facilitated the creation and institutionalization of common standardized processes. Sun embraced Sigma, the IT Infrastructure Library (ITIL) and other process improvement methods. Some questions asked were, "If the organization already knows what it needs to work on, and it follows industry best practices as it makes improvements, what does COBIT give it that it doesn't already have? Does COBIT replace ITIL?"
Even those who were open-minded about using COBIT expressed concerns about the potential resource impact. Resources were already stretched thin, and the organization knew additional resources would not be available. Would the organization have the necessary resources to implement COBIT in addition to everything else it was doing?
At the same time that the executives were weighing their personal support for COBIT, the organization had begun intensive preparation for SOX. At that time the expected requirement for the initial SOX 404 compliance was June 2004.
The IT internal control framework was developed before the organization had a good understanding of COBIT in general and how COBIT applies to Sun IT specifically. At present, there are only controls related to financial reporting in the formal IT internal control framework, but the organization sees it expanding beyond that, as acceptance and adoption of COBIT continue to grow. The organization’s general controls cover 22 processes with 194 controls. When those 194 controls are localized, the number grows to 1,114. The application controls cover approximately 125 applications with seven general categories of controls. Those categories are:
Sun’s SOX compliance effort put this initial compliance framework in place and has been instrumental in introducing the concept of internal controls to a broad IT audience.
At the same time, the decision was made to look at IT activities that might be candidates for potential outsourcing. This was a great opportunity to reintroduce COBIT to the IT executives. Very quickly they saw the value of having a common framework that generically described what IT-related work is done in an organization. They decided to take an end-to-end look at the Sun IT processes and activities using the COBIT Management Guidelines and Control Objectives to ensure coverage of all processes. The most senior IT executives did this themselves, and the result was called the Sun IT/COBIT Activities Listing, which maps Sun IT processes and activities to COBIT. Figure 2 is an example from this mapping, showing the Monitor and Evaluate domain.
Figure 2—Extract from Activities Listing
|Note: SBS PLC stands for Sun Business Systems Product Life Cycle, Sun’s implementation of a system development life cycle (SDLC).|
This mapping was extremely valuable when a cross-organizational team was asked to review the alignment of the internal IT organizations. Here again the organization took the opportunity to introduce COBIT to this team and help them understand COBIT’s value. With that understanding in place, the decision to use the mapping prepared by the senior IT executives was readily accepted.
The Sun IT/COBIT activities were then mapped to existing organizational activities, and redundancies, gaps and joint activities were called out. Finally, organizational owners were added to the Sun IT/COBIT activities listing, and their work was validated with the IT executives. Figure 3 provides a high-level view of the revised listing for the Plan and Organize domain with the organization owners identified. The abbreviated organization names relate to the organizations shown in figure 1.
Figure 3—High-level Mapping With Organizational Owners
|COBIT Domain: Plan and Organize (PO)
The Plan and Organize domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization, as well as technology infrastructure, must be put in place.
Because this mapping was developed by the organization’s IT executives and senior management, it has proven very helpful in building acceptance and adoption of COBIT. Still, this did not eliminate concerns about resource constraints and the impact on ongoing process improvement efforts.
The organization decided to first look at how the initial SOX-spawned internal controls framework could be expanded to include controls not related to financial reporting. This had to be accomplished in a way that took into account the resource constraints and the experience gained through the SOX compliance effort. The Sigma methodology was used to ensure that the views of control assessment process participants and, in particular, key stakeholders were taken into account.
The result is an IT compliance framework that has two components: a formal internal control framework for SOX and selected other controls, and a less formal component based in part on COBIT process maturity model assessments. Figure 4 shows the end-to-end elements of the process.
The element titled “Establish Scope of IT Compliance Framework” is the part of the process where the organization moved beyond simply meeting SOX objectives to embracing COBIT more fully. The steps identified in this subprocess are:
The assessments (steps 3 through 6) automatically become part of the IT compliance framework. Steps 7 and 8 are there to determine if any of the processes warrant a promotion to the formal component of the framework. If a process is made part of the formal controls framework, it is subject to all the formal documentation and testing requirements the same as any controls related to financial reporting.
Figure 5 is an example of the organization’s compliance framework process assessment worksheet. It is meant to be used in a 90-minute facilitated session with process experts and the IT executive who owns the process to give them a high-level subjective (but expert) assessment of the process.
Figure 5—Example Assessment Worksheet
Compliance Framework Process Assessment Workshop
|PO1||Define a strategic IT plan||Defining a strategic IT plan satisfies the business requirement to strike an optimum balance of information technology opportunities and IT business requirements as well as ensure its further accomplishment. This activity is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans, which are periodically translated into operational plans setting clear and concrete short-term goals. Components of the IT strategy include the IT operational model, the applications development model, the enterprise architecture and all of its components, the sourcing strategy, the governance model and the service delivery model. See COBIT Control Objectives, page 32, for details.|
The elements in the assessment worksheet are based on feedback from senior IT management and reflect the key data they felt were needed to make an informed decision on inclusion of a process in the formal controls framework. Additionally, a summary is needed to present multiple process assessment results. Figure 6 is an example of the compliance framework process assessment summary. It includes maturity model assessment results in a radar-style chart. The cost element on the four-quadrant chart is a composite of the “cost” and “ease to implement” components of the assessment worksheet.
With acceptance growing, the organization set out to build on that momentum with a three-pronged approach:
Moving forward, Sun will continue with these future-thinking activities. The organization expects that by conducting compliance framework process assessments, it will further extend the acceptance and adoption of COBIT. By exposing all process owners to COBIT in a meaningful setting, the assessment will help them see the value of adopting elements of COBIT whether or not their process is added to the formal controls framework.
Implementing COBIT at Sun Microsystems has been possible because senior IT management was open-minded about using it in specific situations where the value was absolutely clear. Senior management’s growing use and acceptance of COBIT is filtering throughout the organization and encouraging others to look at how COBIT's components can add value to their IT work.